- Overview
- Prerequisites
- Step 1: Install and Configure Ingress Controller
- Step 2: Expose ClickHouse Service via Ingress
- Step 3: Create TLS Secret (Optional)
- Step 4: Configure Antrea Flow Aggregator
In this guide, we'll walk you through the process of setting up Kubernetes Ingress with ClickHouse as the backend service and how to connect your Flow Aggregator to a ClickHouse server. Kubernetes Ingress is a powerful way to manage external access to services within your Kubernetes cluster, and ClickHouse is a popular open-source columnar database management system. By using Ingress, you can easily expose ClickHouse to external clients and manage routing and load balancing efficiently.
Before proceeding with the setup, ensure that you have the following prerequisites:
- A Kubernetes cluster up and running.
- kubectl command-line tool installed and configured to access your Kubernetes cluster.
- ClickHouse server deployed within your Kubernetes cluster.
The first step is to install an Ingress controller in your Kubernetes cluster. There are various Ingress controllers available, such as Nginx Ingress Controller, Traefik, etc. Choose one that suits your requirements and install it following the documentation provided by the controller's maintainers.
Here we use Nginx Ingress Controller as an example:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yamlAssuming you have already deployed ClickHouse as a Kubernetes service, you need to expose it using an Ingress resource. Create an Ingress manifest file (e.g., clickhouse-ingress.yaml) with the following content:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: clickhouse-ingress
namespace: flow-visibility # Replace with your desired namespace
spec:
ingressClassName: nginx # Replace with your desired class name or omit it for using default ingress class
rules:
- host: clickhouse.example.com # Replace with your desired domain/subdomain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: clickhouse-clickhouse # Replace with your ClickHouse service name
port:
number: 8123 # Replace with your ClickHouse service port
tls: # optional
- hosts:
- clickhouse.example.com # Replace with your desired domain/subdomain
secretName: clickhouse-tls-secret # Replace with the name of your TLS secretSave the file and deploy the Ingress resource using kubectl:
kubectl apply -f clickhouse-ingress.yamlEnsure that the Ingress resource is created successfully:
kubectl get ingress clickhouse-ingressIf you don't have a TLS secret already, you need to create one. A TLS secret contains the SSL/TLS certificate and a private key used for secure HTTPS connections. You can obtain a TLS certificate from a trusted certificate authority or generate a self-signed certificate for testing purposes.
To create a TLS secret, use the following command:
kubectl create secret tls clickhouse-tls-secret --cert=path/to/cert.crt --key=path/to/key.keyReplace clickhouse-tls-secret with the desired name for the secret, and
path/to/cert.crt and path/to/key.key with the paths to your TLS certificate
and private key files.
If you set up cert-manager to manage your certificates, it can be used to issue and renew the certificate required by Ingress.
To get started, follow the cert-manager installation documentation to deploy cert-manager
and configure Issuer or ClusterIssuer resources.
Proceed to the Securing Ingress Resources documentation to learn about adding annotations to your Ingress. If you're utilizing a cluster-issuer, your Ingress configuration would appear as follows:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: clickhouse-ingress
namespace: flow-visibility # Replace with your desired namespace
annotations:
# add an annotation indicating the issuer to use. Replace the name with the real Issuer you configured.
cert-manager.io/cluster-issuer: nameOfClusterIssuer
spec:
ingressClassName: nginx # Replace with your desired class name or omit it for using default ingress class
rules:
- host: clickhouse.example.com # Replace with your desired domain/subdomain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: clickhouse-clickhouse # Replace with your ClickHouse service name
port:
number: 8123 # Replace with your ClickHouse service port
tls: # optional
- hosts:
- clickhouse.example.com # Replace with your desired domain/subdomain
secretName: clickhouse-tls-secret # Replace with the name of your TLS secretOnce the Ingress is created, you should see the clickhouse-tls-secret
Secret created in the flow-visibility Namespace.
To access ClickHouse using the hostname defined in the Ingress
(e.g., clickhouse.example.com), you must configure databaseURL and
hostAliases to your Flow Aggregator yaml file.
Change databseURL and hostAliases in flow-aggregator.conf:
flow-aggregator.conf: |
# -- HostAliases to be injected into the Pod's hosts file.
# For example: `[{"ip": "8.8.8.8", "hostnames": ["clickhouse.example.com"]}]`
hostAliases: [{"ip": "8.8.8.8", "hostnames": ["clickhouse.example.com"]}]
...
# clickHouse contains ClickHouse related configuration options.
clickHouse:
# Enable is the switch to enable exporting flow records to ClickHouse.
enable: true
# Database is the name of database where Antrea "flows" table is created.
database: "default"
# DatabaseURL is the url to the database. Provide the database URL as a string with format
# <Protocol>://<ClickHouse server FQDN or IP>:<ClickHouse port>. The protocol has to be
# one of the following: "tcp", "tls", "http", "https". When "tls" or "https" is used, tls
# will be enabled.
databaseURL: "http://clickhouse.example.com"Change 8.8.8.8 to the cluster's external IP where you created the Ingress.
Change clickhouse.example.com to your hostname.
If you created TLS Secret in Step 3, please follow the document
configuration-secure-connection-to-the-clickhouse-database
to create clickhouse-ca Secret and change the databaseURL to
"https://clickhouse.example.com".
You've now successfully set up Kubernetes Ingress with ClickHouse as the backend service.